05-30-2024 12:51 PM
Does anybody have a solution similar to Defender for Endpoint for using AMSI programmatically to scan incoming files? Essentially, we have a requirement to scan incoming files that are scanned prior to being sent along to their next hop. This all occurs in memory and never actually writes to the disk.
06-05-2024 12:36 AM
Moving post to Cortex XDR for more visibility.
06-05-2024 11:31 PM
Hello @JAEvans ,
Cortex XDR being execution based detection we do collect AMSI content scan events and use it for detection purposes. You can use below example XQL query to fetch AMSI data.
preset = xdr_event_log
| filter lowercase(action_evtlog_description) contains "amsi"
| filter lowercase(action_evtlog_username) not contains "system"
If the malware plants in the memory and then executes which in turn comes to the surface, then the agent will prevent that attack
Don't forget to Like items if a post is helpful to you!
Please help out other users and “Accept as Solution” if a post helps solve your problem !
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
